Nmap Development mailing list archives
Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers"
From: Verde Denim <tdldev () gmail com>
Date: Thu, 17 Sep 2009 14:32:44 -0400
Where can I get this script to review? I searched insecure.org and didn't find it. Thanks. Jack On Wed, Sep 16, 2009 at 10:38 AM, Ron <ron () skullsecurity net> wrote:
Since nobody complained, I went ahead and committed this. I renamed it (per David's comment that the name was overfly vague) and called it http-malware-host.nse. Let me know if you have any comments! Also, as usual, I wrote a blog about it: http://www.skullsecurity.org/blog/?p=340 On 09/12/2009 05:39 PM, Ron wrote:(Note: I've included both the blog author and the Nmap mailing list in this email) This is in response to this blog post: http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/ I wrote a script to detect this botnet behaviour. Unfortunately, I don't have time to test it properly. Right now I'm looking for any server that responds with a 302 to that particular file, but not other files. I tested it against a couple servers I found, and it seems to work nicely. I wrote it really quickly, though, since I'm running late. I've attached the script. You'll have to: a) Update to the latest Nmap SVN version b) Put my script (attached) in the /scripts folder (where the other .nse files are) c) run: nmap --script=http-infected <host> It should return the fact that the server's infected, and also where it is redirecting to. I'm going to be away from my computer till later tonight (~5 hours or so). Please, if anybody can test this and let me know if it's working, that'd be great! Sample run: - $ ./nmap --script=http-infected 174.143.25.37 Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-09-12 17:35 CDT NSE: Script Scanning completed. Interesting ports on 174-143-25-37.slicehost.net (174.143.25.37): Not shown: 987 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http |_ http-infected: Server appears to be clean 110/tcp open pop3 143/tcp open imap 443/tcp open https |_ http-infected: Server appears to be clean 465/tcp open smtps 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql 8080/tcp open http-proxy |_ http-infected: Server appears to be infected (/ts/in.cgi?open2 redirects to http://bllee.homelinux.org:8080/index.php) $ ./nmap -p8080 --script=http-infected bllee.homelinux.org Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-09-12 17:37 CDT NSE: Script Scanning completed. Interesting ports on ttnetdc-200-227-107-89.ttnetdc.com (95.130.174.200): PORT STATE SERVICE 8080/tcp open http-proxy |_ http-infected: Server appears to be infected (/ts/in.cgi?open2 redirects to http://krymskyilya.getmyip.com:8080/index.php) - And so on. If I don't hear of any issues by the time I get home (11pm CDT, give or take), I'll commit this and write a blog of my own on how to use it. Thanks! Ron On 09/12/2009 04:55 PM, Denis Sinegubko wrote:Hi Ron, Thanks for your interest in my research. Malicious web servers on port 8080 seem to be serving malicious content only when they are sure that the client is vulnerable. Otherwise they return a blank file. Actually, when you query the URL in the iframe src you get a 302 redirect to another server. ------------------- wget -U Mozilla "http://174.143.25.37:8080/ts/in.cgi?open2" -O "in.h" --03:53:08-- http://174.143.25.37:8080/ts/in.cgi?open2 => `in.h' Connecting to 174.143.25.37:8080... connected. HTTP request sent, awaiting response... 302 Found Location: http://snejok131.servegame.org:8080/index.php [following] --03:53:14-- http://snejok131.servegame.org:8080/index.php => `in.h' Resolving snejok131.servegame.org... done. Connecting to snejok131.servegame.org[72.3.139.94]:8080... connected. HTTP request sent, awaiting response... 200 OK Length: 0 [text/html] ------------------- Something like this. Hope this helps.------------------------------------------------------------------------ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" Ron (Sep 12)
- Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" David Fifield (Sep 13)
- Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" Ron (Sep 16)
- Re: [Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers" Verde Denim (Sep 17)